If you’re running a WordPress site and rely on the Post SMTP plugin for email delivery, there’s something…

If you’re running a WordPress site and rely on the Post SMTP plugin for email delivery, there’s something important you should know. A critical vulnerability is affecting versions 3.2.0 and earlier allowed even the lowest-level users, like Subscribers, to access sensitive data and actions they were never supposed to see or perform.

This issue came down to how the plugin handled user permissions in its REST API. The plugin checked only if a user was logged in, but didn’t ask whether that user had the proper role or capabilities to access certain features. This meant that anyone with a basic account could view email logs, resend messages and even access full email content, including password reset messages.

That last part is where things get dangerous. By viewing those password reset emails, a Subscriber-level user could reset the password of an Admin account. From there, they’d have full control over the site. This kind of account takeover risk is about as bad as it gets for any site relying on WordPress.

According to Patch Stack’s report, the fix arrived in version 3.3.0, where the plugin’s developers updated the get_logs_permission function. Instead of just checking whether a user is logged in, it now confirms whether they have the manage_options capability, which typically belongs only to Admins. That change closed the door on the broken access controls and stopped the account takeover threat.

The vulnerability, now tracked as CVE-2025-24000, was originally reported by Denver Jackson through Patchstack’s Zero Day program. The responsible disclosure was made on May 23, 2025, and by June 11, the patched version of Post SMTP was publicly released.

If you’re using this plugin and haven’t updated yet, make sure you’re running version 3.3.0 or higher. Any site with open registration, whether for comments, eCommerce or memberships, is especially at risk if this vulnerability remains unpatched. It’s one of those cases where a small oversight in permissions logic opened up access to highly sensitive data that should never be visible to most users.

Post SMTP Plugin Flaw Allowed Subscribers to Take Over Admin Accounts

The “Tea” app, a new and popular social platform for women, confirmed a major data breach affecting users…

The “Tea” app, a new and popular social platform for women, confirmed a major data breach affecting users who joined before February 2024. The announcement was made on Friday, July 25, 2025, via the app’s official channel (@theteapartyqueens).

****Breach Details****

The breach, occurring at 6:45 a.m. PT, primarily impacted an archived system, not current user data. Approximately 72,000 user-submitted images were compromised. This includes about 13,000 selfies and photo identifications from account verification, and roughly 59,000 images publicly viewable through posts, comments, and direct messages, some dating back over two years. Tea stated that this data was stored to meet law enforcement standards for cyberbullying prevention.

The app requires new users to submit a verification selfie and a photo of their government-issued ID, which is used to verify that new sign-ups are indeed women. The company clarified that no email addresses or phone numbers were accessed, and the affected photos cannot be linked to specific in-app posts.

According to 404 Media, which first reported the incident, the breach may have been triggered by anonymous right-wing trolls on 4chan, an image-based message board, following calls for a “hack and leak” campaign.

These 4chan users claim to have discovered and accessed an exposed database on Firebase (Google’s mobile app development platform) belonging to Tea, subsequently sharing users’ personal data and selfies online. Evidence, including screenshots, 4chan posts, and code, was reviewed by 404 Media.

The vulnerability reportedly stemmed from the app’s Firebase storage bucket being publicly accessible, a practice linked to “vibe coding,” where developers might use AI tools without a sufficient security review. Although the original post has been removed, the compromised data has reportedly spread across various platforms, including other social media sites like X and decentralised networks such as BitTorrent, with some users even creating Google Maps links displaying general coordinates of affected individuals.

****Company Response Under Scrutiny****

The Tea app team stated they are working quickly with internal security teams and trusted experts to address the issue. They asserted that no current or additional data has been accessed.

However, as reported by VX-Underground on X, even over 12 hours after the compromise was reported, the Firebase instance remained accessible, and users could still upload data, seemingly contradicting the company’s claims of immediate remediation.

Source: VX-Underground via X.com

For your information, the “Tea” app is a platform founded by Sean Cook in 2023 where women could share experiences and information about men, including rating them as “red flags” or “green flags,” uploading photos of men (often sourced from social media) and direct sharing of information through group chats.

While positioned as a safety tool, it has faced criticism and legal questions concerning privacy violations and potential defamation, particularly from men. The timing of the breach coincided with the app’s surge in popularity, reaching the top of Apple’s App Store this week.

Tea App Breach: Women Only Dating Platform Leaks 72K User Images

Sublime Security reveals a cunning romance/adult-themed scam targeting German speakers, leveraging Keitaro TDS to deliver an AutoIT-based malware loader. Learn how this sophisticated campaign operates, its deceptive tactics, and the hidden payload.

A recent cyberattack campaign is preying on German speakers with a deceptive adult-themed and romance scam to deliver malware. The sophisticated operation leverages a legitimate traffic distribution system (TDS) called Keitaro TDS to redirect unsuspecting victims to malicious domains. This campaign was discovered by the security research firm Sublime Security, and they exclusively shared their findings with Hackread.com.

Report authors, Sublime Security’s detection engineer Bryan Campbell and threat researcher Brian Baskin, explained that the emails involved in this campaign use enticing language and offer links to explicit content, aiming to draw the recipient in.

A key warning sign identified by Sublime’s AI-powered detection engine was the inclusion of a password for a protected archive directly within the email – a highly unusual practice for legitimate communications. Furthermore, the emails often came from unfamiliar senders with inconsistent names, email addresses, and reply-to details.

****How the Attack Works****

Victims receive emails with two malicious links, one disguised as a video preview image and another linking to an archive file. When clicked, the system checks if the user’s location is in Germany. If it is, a 300MB ISO file is downloaded in the background from a server based in Russia. This file contains the actual malware.

The attackers’ use of Keitaro TDS is crucial. This system allows cybercriminals to precisely target victims, ensuring only individuals from specific regions, like Germany, and even during certain hours, are exposed to the malicious content. This precision helps attackers increase their success rate by tailoring their approach to a specific audience.

Malicious email (Image via Sublime Security)

****The Hidden Threat Within****

Once downloaded, the ISO file is designed to evade detection. After removing extra _junk_ data, the remaining content is a standard container that can be mounted as a drive. This drive then holds another large executable file, “lovely_photos.exe,” and a text document with the password for a self-extracting archive.

Upon execution, the malware prompts for a password, conveniently provided in the original email and the extracted text file. This initiates the extraction of multiple files, including explicit images and other files, into the user’s temporary directory. A batch script then runs, building an AutoIt interpreter to execute a highly disguised AutoIt script.

AutoIt is a legitimate scripting language, but here it’s weaponised. This script further attempts to bypass antivirus software by checking for running services and delaying its execution.

The final AutoIt script, heavily obscured, then establishes persistence by creating a Windows scheduled task named DragonMapper, ensuring the malware runs every time the user logs in. This research serves as a vital reminder that threat actors can create highly targeted campaigns, delivering tailored messages for a higher success rate.

Malicious ISO File Used in Romance Scam Targeting German Speakers

Arizona woman jailed 8.5 years for aiding North Korea's $17 million IT job scam, defrauding over 300 US companies. Learn how to protect your business from such sophisticated cybersecurity threats.

An Arizona woman has been sentenced to over eight years in prison for her significant role in a fraudulent operation that funnelled more than $17 million to North Korea. According to the US Department of Justice (DoJ), Christina Marie Chapman, 50, from Litchfield Park, assisted North Korean Information Technology (IT) workers in posing as US residents to secure remote jobs at 309 American companies, including Fortune 500 corporations.

Image via US DoJ

This case represents one of the largest North Korean IT worker fraud schemes ever prosecuted by the US DoJ, in which Chapman received a sentence of 102 months (8 years) in prison, along with three years of supervised release, for her guilty pleas on February 11 in the District of Columbia. Her charges included conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder money.

Chapman’s scheme involved operating a laptop farm at her home, where she received and hosted company computers. This deceptive setup made companies believe the work was being performed within the US. She specifically shipped 49 laptops and other devices supplied by US companies to locations overseas, including multiple shipments to a city in China bordering North Korea.

Equipment seized from Chapman’s home (Source: DoJ)

According to court documents (PDF), she also shipped company laptops overseas, including to a city in China bordering North Korea, and forged payroll checks using 68 stolen American identities. These illicit earnings, falsely reported to US tax and social security agencies, were then transferred to individuals abroad.

The defrauded businesses included a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car maker, a luxury retail store, and a US media and entertainment company. Some of these companies were actively targeted by the IT workers who kept lists of desired employers.

US officials condemned Chapman’s actions, emphasising how her scheme financially supported North Korea’s nuclear weapons program and jeopardised national security. Acting Assistant Attorney General Matthew R. Galeotti noted the severe consequences for those who aid foreign adversaries.

According to the DoJ’s press release, the FBI and IRS Criminal Investigation led the probe, seizing over 90 laptops from Chapman’s residence in October 2023. These investigations highlight North Korea’s strategy of deploying skilled IT workers globally to obtain remote employment under false pretences, using US-based facilitators to bypass security measures.

Both the FBI and the State Department have recently issued updated advisories and guidance for HR professionals and businesses, urging caution against such threats and detailing methods used by these illicit IT workers to gain access and generate revenue.

To protect against such schemes, authorities advise businesses to scrutinise identity documents, verify employment history, and implement strict protocols for virtual meetings, including requesting unobscured video backgrounds and checking for AI-generated video anomalies.

Arizona Woman Jailed for Helping North Korea in $17M IT Job Scam

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2…

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2 million, fake currency operation in India. This report details the exposure of individuals and their activities on Facebook and Instagram.

A large-scale counterfeit currency operation is reportedly circulating fake notes worth millions of dollars, which has been brought to light by cybersecurity firm CloudSEK. Its investigation, shared with Hackread.com, CloudSEK’s STRIKE team has not only calculated the vast spread of this illicit trade, estimated at ₹17.5 crore (over $2 million) in fake Indian currency over just six months (December 26, 2024, to June 26, 2025), but has also managed to identify and pinpoint key individuals behind it.

The unique aspect of this exposé lies in the direct attribution of culprits. Using digital forensics, GPS data, and facial recognition technology, CloudSEK has identified and located major players across the Indian state of Maharashtra.

According to Sourajeet Majumder, a security researcher at CloudSEK, “This is the first time that a cyber investigation has offered such precise attribution of counterfeit actors operating in public digital spaces. We didn’t just find content, we identified the key perpetrators.”

Reportedly, bad actors are using popular social media platforms like Facebook and Instagram in this campaign. CloudSEK’s XVigil platform played a crucial role in its detection by monitoring open-source environments for specific terms like “second series” or “A1 notes,” which are codewords used by sellers.

Source: CloudSEK

The investigation revealed over 4,500 posts promoting counterfeit currency and more than 750 accounts or pages involved in selling these fake notes. Furthermore, over 410 unique phone numbers were found to be connected to sellers. These groups even used Meta Ads for paid promotions, openly reaching out to potential buyers. Some sellers went as far as sharing videos, handwritten notes, and even video calls to show the supposed quality of their fake currency, creating a dangerous “trust-based” black market out in the open.

Source: CloudSEK

****Tracking Down the Accused****

CloudSEK’s researchers combined advanced Open Source Intelligence (OSINT) and Human Intelligence (HUMINT) techniques to unmask group administrators and sellers. They collected facial images, phone numbers, exact GPS locations, and social media profiles of the main suspects.

The researchers also identified several accounts operating under aliases such as Vivek Kumar, Karan Pawar, and Sachin Deeva. Geolocation evidence pointed to activity in Jamade Village (Dhule district, Maharashtra) and Pune, strongly suggesting a coordinated syndicate primarily based in Maharashtra, with Dhule being the potential hotspot.

Further probing revealed that the counterfeiters advertise their fake notes through various social media channels using hashtags like #fakecurrency. To gain trust, they engage with buyers via WhatsApp, sharing “proof” images and even offering live video calls. The production involves professional tools like Adobe Photoshop, industrial-grade printers, and paper that sometimes mimics security features like Mahatma Gandhi watermarks and green security threads.

Source: CloudSEK

CloudSEK has shared its findings with relevant law enforcement agencies at both the state and national levels, providing detailed intelligence to aid in disrupting this criminal network and protecting the country’s financial stability.

Researchers Expose Massive Online Fake Currency Operation in India

BreachForums resurfaces on its original .onion domain amid law enforcement crackdowns, raising questions about its admin, safety and future.

The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts.

For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure.

Then, on April 28, as reported by Hackread.com, the forum’s homepage was replaced with a message stating that a MyBB 0-day vulnerability had left the site exposed to infiltration attempts by law enforcement, and it needed to be taken offline until the issue was resolved. That was the last message before BreachForums disappeared.

****Admin N/A?****

However, earlier today, Hackread.com spotted that the platform’s .onion domain had become active again, now under a new admin handle, “N/A.” The identity of “N/A” is unknown, but they claim the forum’s clearnet domain was suspended by the registrar following complaints and pressure from law enforcement.

Additionally, they claim the MyBB vulnerability has been fixed and that the forum was never compromised, with user data remaining protected throughout. “N/A” also addressed reports about the arrests of ShinyHunters members, denying that any original group members have been taken into custody.

For your information, after the arrest of former BreachForums administrator Conor Fitzpatrick, also known as Pompompurin, the forum reemerged under the leadership of the ShinyHunters group. However, in June 2025, authorities claimed to have arrested members of ShinyHunters, along with IntelBroker, another active member who had also served as the group’s administrator.

“N/A” also denied ever giving admin access to IntelBroker, claiming it was part of a strategy to divert law enforcement’s attention away from the original owners. According to the statement, IntelBroker never had administrative access to the forum.

Message from Admin N/A on BreachForums (Image credit: Hackread.com)

****As XSS.IS Falls, BreachForums Reemerges****

The return of BreachForums comes at a time when law enforcement is intensifying efforts against cybercrime. Less than 24 hours ago, in an operation called “Operation Checkmate,” authorities seized the infrastructure of the BlackSuit ransomware group, including two of its .onion domains.

Just a couple of days ago, the Russian-language cybercrime platform XSS.IS was seized following the arrest of its suspected administrator in Ukraine. While its dark web domain remains accessible, posts from admins and moderators suggest plans to revive the forum on other domains. Meanwhile, the return of BreachForums presents yet another challenge for law enforcement agencies.

The return of BreachForums on the dark web, along with plans to restore its clearnet domains, may be seen as good news within cybercrime circles, but it raises serious questions. Is it a honeypot set up by law enforcement? Who is “N/A”? Where is the original admin team if they haven’t been arrested? If you are active on BreachForums, sign in at your own risk, and consider quitting cybercrime for good.

BreachForums Resurfaces on Original Dark Web (.onion) Address

International law enforcement agencies, including the FBI and Europol, have successfully seized the infrastructure of the notorious BlackSuit ransomware gang in Operation Checkmate. This article details the takedown, BlackSuit's origins, and the ongoing fight against evolving cyber threats.

International law enforcement has dealt a significant blow to cybercrime this week, successfully seizing the vital online infrastructure of the notorious BlackSuit ransomware gang. In a coordinated international operation dubbed “Operation Checkmate,” authorities specifically targeted and took control of the group’s .onion data leak sites and negotiation platforms, which had compromised hundreds of organisations globally in recent years.

The seizure has been confirmed as two of the BlackSuit domains (1, 2) now display a banner announcing their closure by law enforcement, marking a major victory against ransomware threats worldwide.

This operation involved strong collaboration among numerous agencies from various countries, including the United States Department of Homeland Security, the FBI, Europol, the UK’s National Crime Agency, and law enforcement from Germany, Ukraine, Lithuania, and Canada. Cybersecurity firm Bitdefender also played a key role.

****How BlackSuit Operated****

BlackSuit, which emerged in April/May 2023, used a “double-extortion” method to target a wide range of victims, including hospitals, schools, businesses, and government bodies. They showed no specific preference for industry or organisation size, targeting both large enterprises and small and medium-sized businesses (SMBs).

However, similar to its predecessor, Royal ransomware, it appears that groups within the Commonwealth of Independent States (CIS) were deliberately avoided.

Regarding attack tactics, first, they would break into computer networks, encrypting important files and making systems unusable. Then, they would steal sensitive data. If victims refused to pay the ransom, BlackSuit threatened to publish the stolen information on their leak sites, adding more pressure. These seized websites were essential for BlackSuit to communicate with victims and store stolen data, making it difficult for the gang to profit from their illegal activities now.

****A Threat That Keeps Growing****

Security experts believe BlackSuit likely evolved from earlier ransomware groups, possibly linked to the Royal ransomware gang or even the well-known Conti syndicate. BlackSuit itself is a rebrand of Royal ransomware, which was active from September 2022 to June 2023 and is known to have demanded over $500 million in ransoms from hundreds of organisations worldwide. Notable victims of BlackSuit include the Japanese company Kadokawa, Tampa Bay Zoo, and Octapharma, a blood plasma collection organisation.

While Operation Checkmate is a major success, cybersecurity experts warn that ransomware groups often reappear under new names. In fact, Cisco Talos threat intelligence reported on July 24, 2025, that evidence suggests some former BlackSuit members may have already rebranded as “Chaos ransomware,” operating since February 2025.

This new group reportedly uses similar attack methods, including double extortion, and targets systems across Windows, ESXi, Linux, and NAS. However, Operation Checkmate clearly demonstrates that international teamwork is a powerful tool against global cybercrime.

Operation Checkmate: BlackSuit Ransomware’s Dark Web Domains Seized

Medusa Ransomware breached NASCAR, demanded $4 million, leaked sensitive data including maps and staff info, exposing major security failures. The incident was exclusively reported by Hackread.com.

In April 2025, Hackread.com exclusively reported that the Medusa ransomware group had claimed responsibility for breaching the National Association for Stock Car Auto Racing (NASCAR) and was demanding a $4 million ransom. NASCAR has now confirmed that its systems were indeed compromised, validating Hackread.com’s earlier reporting.

Medusa Ransomware’s dark web leak site (Credit: Hackread.com)

According to the data breach notification filed with the Office of the Maine Attorney General, the incident occurred on March 31, 2025, and was discovered on June 24, 2025. However, Hackread.com had alerted NASCAR about Medusa’s breach claims on April 8, 2025, but the company neither responded nor acknowledged the inquiry.

While NASCAR did not disclose how many individuals were affected, it confirmed that the stolen data included files containing names and Social Security numbers. However, Hackread.com’s analysis of the sample data leaked by Medusa on its dark web site revealed that the exposure went far beyond just those details.

A preliminary review of the leaked documents indicates they contain detailed maps of raceway grounds, staff email addresses, names and job titles, as well as credential-related information, pointing to a genuine compromise of both operational and logistical data.

Screenshot from the leaked sample data from the Medusa ransomware gang’s dark web leak site (Credit: Hackread.com)  

Nevertheless, NASCAR has notified the affected individuals and is offering one year of credit monitoring and identity theft protection services through Experian.

This also isn’t the first time NASCAR has been linked to a ransomware incident. In July 2016, a prominent NASCAR team suffered a major ransomware attack when its chief’s computer was infected with a TeslaCrypt variant. The attackers encrypted all files on the system and demanded payment in Bitcoin.

****The FBI Had Warned About Medusa Months Before the NASCAR Breach****

Medusa ransomware has been around since 2021, but its operations have escalated in recent years. One of the group’s more high-profile attacks hit Minneapolis Public Schools in 2023, where it dumped sensitive student and staff data after demanding, and not receiving, a $1 million ransom. Over time, Medusa has also gone after hospitals, city governments, and telecom companies, often leaking massive amounts of internal documents when victims refuse to pay.

Just a few months ago, Medusa grabbed attention again by using stolen digital certificates to shut down anti-malware tools on compromised systems. That move, noted in a March 25 report, allowed them to remain hidden and move through networks without detection.

Before that, on March 13 2025, the FBI and CISA released a joint security alert urging organisations to step up proper cybersecurity protection. Their guidance included enabling multi-factor authentication and keeping an eye out for suspicious certificate activity.

“Medusa’s $4 million ransom demand from NASCAR is significant. So far this year, the group has issued an average ransom of just under $300,000, making this demand over 10 times higher,” said Rebecca Moody, Head of Data Research at Comparitech.

“There could be several reasons for that, including NASCAR’s high-profile status or the volume of data stolen. While the full impact of the NASCAR breach is still unclear, Medusa is already behind one of this year’s largest ransomware-related breaches, with Bell Ambulance reporting 114,000 affected.”

NASCAR Confirms Medusa Ransomware Breach After $4M Demand

A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw.

A security vulnerability recently surfaced involving Amazon’s AI coding assistant, ‘Q’, integrated with VS Code. The incident, reported by 404 Media, revealed a lapse in Amazon’s security protocols, allowing a hacker to insert malicious commands into a publicly released update.

The hacker, using a temporary GitHub account, managed to submit a pull request that granted them administrative access. Within this unauthorised update, destructive instructions were embedded, directing the AI assistant to potentially delete user files and wipe clean Amazon Web Services (AWS) environments.

Despite the severe nature of these commands, which were also intended to log the actions in a file named /tmp/CLEANER.LOG, Amazon reportedly merged and released the compromised version without detection.

The company later removed the flawed update from its records without any public announcement, raising questions about transparency. Corey Quinn, Chief Cloud Economist at The Duckbill Group, expressed scepticism regarding Amazon’s “security is our top priority” statement in light of this event.

“If this is what it looks like when security is the top priority, I can’t wait to see what happens when it’s ranked second,” Quinn wrote in his post on LinkedIn.

****The Mechanism of the Attack****

The core of the issue lies in how the hacker manipulated an open-source pull request. By doing so, they managed to inject commands into Amazon’s Q coding assistant. While these instructions were unlikely to auto-execute without direct user interaction, the incident critically exposed how AI agents can become silent carriers for system-level attacks.

It highlighted a gap in the verification process for code integrated into production systems, especially for AI-driven tools. The malicious code aimed to exploit the AI’s capabilities to perform destructive actions on a user’s system and cloud resources.

> Yesterday’s incident with Amazon Q was a wake-up call about how AI agents can be attacked.
> 
> PromptKit is trying to solve similar problems and help prevent them from happening again.
> 
> read full post👇https://t.co/atOWfilWFq
> 
> — Mr. Ånand (Studio1HQ) (@Astrodevil\_) July 24, 2025

****A New Solution Emerges****

In response to such vulnerabilities, Jozu has released a new tool called “PromptKit.” This system, accessible via a single command, offers a local reverse proxy to record OpenAI-compatible traffic and provides a command-line interface (CLI) and text-based user interface (TUI) for exploring, tagging, comparing, and publishing prompts.

Jozu announced on X.com that PromptKit is a local-first, open-source tool aiming to provide auditable and production-safe prompt management, addressing a systemic risk as reliance on generative AI grows.

> Today, we’re releasing a first version of Jozu PromptKit
> 
> → a local-first tool for capturing, reviewing, and managing LLM prompt interactions.
> 
> It ensures policy-controlled workflows for verified, auditable prompt artifacts in production
> 
> Free to try and open source. pic.twitter.com/0Up4mc1Vy9
> 
> — Jozu (@Jozu\_AI) July 24, 2025

Görkem Ercan, CTO of Jozu, told Hackread.com that PromptKit is designed to bridge the gap between prompt experimentation and deployment. It establishes a policy-controlled workflow, ensuring that only verified and audited prompt artefacts, unlike the raw, unverified text that impacted AWS, reach production.

Ercan further emphasised that this tool would have replaced the failed human verification process with a strict, policy- and signing-based workflow, effectively catching the malicious intent before it went live.

Hacker Added Prompt to Amazon Q to Erase Files and Cloud Data

Chennai, India, 25th July 2025, CyberNewsWire

**Chennai, India, July 25th, 2025, CyberNewsWire**

xonPlus, a real-time digital risk alerting system, officially launches today to help security teams detect credential exposures before attackers exploit them. The platform detects data breaches and alerts teams and systems to respond instantly.

Built by the team behind XposedOrNot, an open-source breach detection tool used by thousands, xonPlus gives organizations instant visibility when their email addresses or domains appear in breach dumps or dark web forums.

Every day, credentials are exposed in data breaches, often without the affected organizations being immediately aware. In many cases, security teams are first alerted to incidents through ransom demands, threat intelligence reports, or internal support tickets. xonPlus addresses this challenge by providing real-time monitoring of enterprise assets, delivering alerts within minutes of confirmed credential exposure.

> “We kept hearing the same thing: teams had good security stacks, but still found out about exposed credentials too late,” said Devanand Premkumar, Founder of xonPlus.

One compromised login is enough to pivot inside a network. xonPlus gives teams the early warning signal they’ve been missing.

**Built on Proven Foundation**

xonPlus leverages the intelligence infrastructure of XposedOrNot, which has tracked 10+ billions of breach records over the last 8 years and serves millions of queries globally. The platform runs on secure infrastructure powered by Cloudflare and Google Cloud, ensuring enterprise-grade reliability and performance for security-critical operations.

**Key Capabilities**

*   **Real-Time Detection**: Getting alerts within minutes when company credentials appear in a breach, including breach source, exposure date, and recommended next steps.
*   **Seamless Integration**: Works with existing security infrastructure, including SIEM, Slack, Microsoft Teams, and email systems.
*   **Developer-First API**: High-throughput API with rate limits, auth tokens, and audit logs for embedding breach intelligence into security workflows.
*   **Enterprise Scale**: Monitoring unlimited domains and millions of email addresses with customizable alert thresholds.

**Addressing Market Need**

Unlike large threat intel platforms requiring long contracts and complex setups, xonPlus offers transparent monthly pricing with 5x to 10x cost efficiency compared to traditional costly solutions. It complements existing security stacks by focusing purely on breach exposure detection.

The platform serves three primary use cases: 

*   **xonEnterprise** for domain-wide monitoring, 
*   **xonConsumer** for customer breach alerts, and 
*   **xonAPI** for developers building security tools.

**Target Market**

**xonPlus** is designed for security teams needing earlier breach visibility, startups and SMBs without full SOC coverage, developers integrating breach detection capabilities, and risk teams focused on account takeover prevention and minimizing ransomware infections.

Teams using xonPlus have cut detection time from weeks to minutes, enabling them to lock compromised accounts before attackers gain access.

**Availability**

xonPlus is immediately available as a SaaS platform with monthly subscription plans.

**Users can learn more**: https://plus.xposedornot.com/

**Users can launch the story**: https://blog.xposedornot.com/xonplus-launch/

**About xonPlus**

xonPlus is built by the team behind XposedOrNot, the open-source breach detection platform that has helped millions of users check their exposure to data breaches. Based in Chennai, India, the company focuses on making breach intelligence accessible to security teams of all sizes.

**Contact**

**Founder**  
**Devanand Premkumar**  
**\[email protected\]**

Source

HackRead